Package: moodle
Version: 1.8.2.dfsg-3+lenny3
Severity: grave
Tags: security patch
Justification: user security hole
MSA-10-0011:
Topic: Cross Site Scripting vulnerability in blog/index.php
Severity: Critical
Versions affected: <1.8.13 and <1.9.9
Reported by: Emmanuel Bouillon
Issue no.: MDL-22631
Solution: upgrade to 1.8.13 or 1.9.9
Workaround: apply patch or disable blogs
http://git.moodle.org/gw?p=moodle.git;a=commit;h=1f283c9acdf7b6a5c08b2768d3bf89b1e162d421
http://cvs.moodle.org/moodle/blog/lib.php?r1=1.80.2.20&r2=1.80.2.21
Description:
Some parameters were not being properly cleaned on the blog index page,
allowing non-persistent cross-site scripting (XSS) attacks.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages moodle depends on:
ii apache2-mpm-prefor 2.2.9-10+lenny7 Apache HTTP Server - traditional n
ii debconf [debconf-2 1.5.24 Debian configuration management sy
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny8 server-side, HTML-embedded scripti
ii mimetex 1.50-1+lenny1 LaTeX math expressions to anti-ali
ii mysql-client-5.0 [ 5.0.51a-24+lenny4 MySQL database client binaries
ii php5-cli 5.2.6.dfsg.1-1+lenny8 command-line interpreter for the p
ii php5-curl 5.2.6.dfsg.1-1+lenny8 CURL module for php5
ii php5-gd 5.2.6.dfsg.1-1+lenny8 GD module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny8 MySQL module for php5
ii smarty 2.6.20-1.2 Template engine for PHP
ii ucf 3.0016 Update Configuration File: preserv
ii wwwconfig-common 0.1.2 Debian web auto configuration
ii yui 2.5.0-1 Yahoo User Interface Library
ii zip 2.32-1 Archiver for .zip files
Versions of packages moodle recommends:
ii mysql-server-5.0 [ 5.0.51a-24+lenny4 MySQL database server binaries
ii php5-ldap 5.2.6.dfsg.1-1+lenny8 LDAP module for php5
moodle suggests no packages.
-- debconf-show failed
Index: moodle/blog/lib.php
===================================================================
--- moodle/blog/lib.php (revision 6)
+++ moodle/blog/lib.php (revision 7)
@@ -649,17 +649,21 @@
/// Find the base url from $_GET variables, for print_paging_bar
+ /// WARNING: EVIL EVIL EVIL! This function directly acesses $_GET which is a big no no. MDL-22631
+ /// I added some clean_param() calls for now but $_GET should just not ever be used directly.
+ /// The function is totally gone in Moodle 2.0.
function get_baseurl($filtertype, $filterselect) {
- $getcopy = $_GET;
- unset($getcopy['blogpage']);
+ unset($_GET['blogpage']);
$strippedurl = strip_querystring(qualified_me());
- if(!empty($getcopy)) {
+ if(!empty($_GET)) {
$first = false;
$querystring = '';
- foreach($getcopy as $var => $val) {
+ foreach($_GET as $var => $val) {
+ $var = clean_param($var, PARAM_ALPHANUM); // See MDL-22631
+ $val = clean_param($val, PARAM_CLEAN);
if(!$first) {
$first = true;
if ($var != 'filterselect' && $var != 'filtertype') {
